Skip to main content

APT Group Carbanak Uses Public Cloud Services as Command and Control Server

Google services are being used as a Command and Control (C2) server for Carbanak group’s malware, which spies on data and escalates privileges within the user’s infrastructure.
Threat ID:
CC-1114
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Macro, Email spam
Published:
26 January 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Google services are being used as a Command and Control (C2) server for Carbanak group’s malware, which spies on data and escalates privileges within the user’s infrastructure.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

All Windows Versions

Threat details

The use of a legitimate third-party service, such as Google, allows the attacker to hide in plain sight.

Infection is delivered by spam email with malicious Microsoft Word documents attached, the documents contain macros to facilitate delivery of the payload. Once the user opens the attachment multiple malicious files are downloaded allowing the attackers to gain access to the local infrastructure.

After the malware is installed it obtains access to the administrator account and uses ‘pass the hash’, a hacking technique that allows the attacker to authenticate them as the user by remote access without the password. By doing this the attacker is able to steal the credentials of domain level or higher privileged accounts on the device.

For each infected user the malware will send two requests to a Google Forms URL which leads to the creation of a unique Google Sheets spreadsheet and Google Forms ID for the victim.

Remediation steps

Type Step
  • Ensure a robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • Do not have macros enabled by default and are they are disabled when received from untrusted sources.
  • Restrict the use of email when logged in to an administrative account.
  • Monitor network and proxy logs for indications of compromise.

Last edited: 17 February 2020 11:26 am